Obtain or Create the Credential

Create or obtain the credential that the server uses to sign HTTP messages:

For development environments, a self-signed certificate is adequate. When self-signed certificates are used for SSL, the web browser requires you to manually trust the certificate when opening a web page.

For production environments, use a certificate that is signed by a certificate authority (CA). When the public certificate of the CA is imported in the web browser, your certificate is automatically trusted.

Create a Credential for Development

Use the Java keytool to create a self-signed credential and to store it in a keystore file. The following procedure uses a single command that includes all of the information needed to create the keystore. For complete information about the command, see the Oracle Java SE Documentation.

Create a directory named ssl in the directory where the quickstart JAR file is located.

In the command prompt, type the following command to create the credential and keystore:

Obtain a Credential for Use in Production

In production environments you should use a certificate that is signed from a trusted certificate authority (CA). Use the Java keytool to generate a certificate signing request, and when obtained import it to your keystore.

Enable SSL on the Publish Instance

Enable HTTP over SSL on the publsih instance to secure connections with web clients and with replication agents. (Secure connections with replication agents also require changes to the agent configurations, which is described in the next section.)

Follow the same procedure as for configuring the author instance, with the following differences:

Click Edit (below the Test Connection link) and then click the Transport tab.

In the URI box, change the URL so that it uses the HTTPS protocol and the port that you configured for SSL on the publish instance.

If you used a self-signed certificate to enable SSL on publish, select Enable Relaxed SSL.

Click OK.

Click Test Connection.

Forcing the Use of the SSL Port

If you want all users to connect over SSL, redirect traffic to the URL that uses HTTP over SSL.

Nota:

The steps presented below do not force the use of the SSL port for HTTP requests to CRXDE Lite, Package Manager or Content Explorer. The requests going to these administrative consoles do not go through the Sling request pipeline. For these scenarios, you should utilize Dispatcher to redirect the requests by using the Apache Web Server. For further details, see the Dispatcher and the official Apache documentation.

The following example redirects traffic to localhost:4502 to https://localhost:5433. To configure the redirect, create a sling:mapping node. Use a node name that matches requested URL. Add a sling:redirect property to specify the URL for redirection.